From: Johnny Dedon (johnny.dedon@xxxxxxxxxx)
Date: Fri May 11 2001 - 19:12:52 GMT-3
I think this has already been answered, but here is another explanation.
Johnny Dedon
Senior Staff Consultant
Exodus Professional Services
johnny.dedon@exodus.net
www.exodus.net
----- Original Message -----
From: "Roman Rodichev" <rrodichev@emasterlink.com>
To: <johnny.dedon@exodus.net>
Sent: Friday, May 11, 2001 4:59 PM
Subject: FTP Passive/Active
> Johny,
>
> I've read your message on the CCIE group study about ACL for FTP traffice.
I
> thought I'd help you. I joined the list about two weeks ago, but I still
> haven't gotten the verification, so I can't post anything yet. Please post
> my message on the board, it could help other people.
>
> Active FTP mode:
>
> Client (port 1024) ==> Server (port 21)
> Client (port 1024) <== Server (port 21) ACK
> Client says "PORT 1025"
> Client (port 1025) <== Server (port 20)
> Client (port 1025) ==> Server (port 20) ACK
>
> Passive FTP mode:
>
> Client (port 1024) ==> Server (port 21)
> Client (port 1024) <== Server (port 21) ACK
> Client says "PASV"
> Server says "PORT 2222" (first available)
> Client (port 1025) ==> Server (port 2222)
> Client (port 1025) <== Server (port 2222) ACK
>
> So to answer your question, you need this for inbound access list on the
> local interface with FTP clients:
>
> access-list 102 permit tcp host 10.10.10.1 gt 1023 199.200.1.0 0.0.0.255
eq
> ftp (would allow ACTIVE and PASSIVE to initiate from client's side)
>
> access-list 102 permit tcp host 10.10.10.1 gt 1023 199.200.1.0 0.0.0.255
eq
> ftp-data established (would allow ACTIVE FTP sessions to return to the
> server)
>
> But unfortunately to enable PASSIVE ftp sessions you would have to do this
> access-list 102 permit tcp host 10.10.10.1 gt 1023 199.200.1.0 0.0.0.255
gt
> 1023
>
>
> Good Luck
**Please read:http://www.groupstudy.com/list/posting.html
This archive was generated by hypermail 2.1.4 : Thu Jun 13 2002 - 10:30:40 GMT-3